<--

Apache Cordova for Android Cross-App Scripting

Aleph Research Advisory

Identifier

Severity

High

Product

Apache Cordova for Android

Vulnerable Version

3.5.0 and below

Mitigation

Upgrade to 3.5.1 or later

Technical Details

Attackers can influence the URL of Cordova’s WebView in two different way:

public void CordovaWebView.loadUrl(String url) {
  if (url.equals("about:blank") || url.startsWith("javascript:")) {
    this.loadUrlNow(url);
  } else {
    String initUrl = this.getProperty("url", null);
    // If first page of app, then set URL to load to be the one passed in
    if (initUrl == null) {
      this.loadUrlIntoView(url);
    }
    // Otherwise use the URL specified in the activity's extras bundle
    else {
      this.loadUrlIntoView(initUrl);
    }
  }
}

First, CordovaWebView.loadUrl(String url) and CordovaWebView.loadUrl(String url, int time) consume the Intent’s ‘url’ extra parameter instead of the ‘url’ argument. The first method does that only if the argument’s URI scheme is not JavaScript and the URI is not ‘about:blank’. Therefore, if the ‘url’ extra parameter can be influenced by the attacker (which is often the case), the WebView’s URL can be controlled. The second issue relates to the ‘errorurl’ Intent extra parameter and is very similar despite the fact that it is used only if there is an error when loading the original URL (such as connectivity issues). More about the second issue can be found the paper.

Timeline

Credit

External References